RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow systemd services to use PrivateNetwork feature 

systemd creates a new network namespace for services which are using
PrivateNetwork=yes.

In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.

While at it, add filesystem_type attribute to nsfs_t.
This commit is contained in:
Nicolas Iooss 2016-01-11 19:14:55 +01:00 committed by Chris PeBenito
parent 619b4adf78
commit 25bc2d5c1d
3 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
policy/modules/kernel/filesystem.if
View File

@ -3358,6 +3358,23 @@ interface(`fs_rw_nfsd_fs',`
rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
########################################
## <summary>
## Read nsfs inodes (e.g. /proc/pid/ns/uts)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_read_nsfs_files',`
gen_require(`
type nsfs_t;
')
allow $1 nsfs_t:file read_file_perms;
')
########################################
## <summary>
## Getattr on pstore dirs.

1
policy/modules/kernel/filesystem.te
View File

@ -126,6 +126,7 @@ fs_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
type nsfs_t;
fs_type(nsfs_t)
genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
type oprofilefs_t;

3
policy/modules/system/init.te
View File

@ -199,6 +199,7 @@ ifdef(`init_systemd',`
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:netlink_route_socket create_netlink_socket_perms;
allow init_t self:netlink_selinux_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
@ -260,6 +261,8 @@ ifdef(`init_systemd',`
# mount-setup
fs_unmount_autofs(init_t)
fs_getattr_pstore_dirs(init_t)
# for network namespaces
fs_read_nsfs_files(init_t)
# systemd_socket_activated policy
mls_socket_write_all_levels(init_t)